The auth/invalid-credential error occurs when your Firebase authentication credential is malformed, expired, or missing required fields like tokens or OAuth credentials. This typically affects OAuth providers, admin SDK operations, and credential linking scenarios.
Firebase throws the auth/invalid-credential error when the credential data you're using for authentication fails validation. This happens when credentials are malformed (incorrectly formatted), expired (past their validity period), missing required fields (like an accessToken for OAuth), or not properly initialized. The error can occur during sign-in operations, credential linking, admin SDK calls, or when re-authenticating users.
Verify that your credential object contains all required fields. For OAuth providers like Apple Sign-In, ensure both idToken and accessToken are present:
// For Apple Sign-In - INCORRECT (missing accessToken)
const credential = OAuthProvider.credential({
idToken: appleIdToken
// accessToken is missing!
});
// CORRECT - include accessToken from authorizationCode
const credential = OAuthProvider.credential({
idToken: appleIdToken,
accessToken: appleAccessToken // Required!
});
signInWithCredential(auth, credential);For other OAuth providers, double-check your Firebase console configuration and ensure all required credentials from the provider are being passed.
Ensure Firebase is initialized correctly with valid credentials and not instantiated multiple times. Make sure the service account (if using admin SDK) is from the correct Firebase project:
// Web SDK - initialize once
import { initializeApp } from 'firebase/app';
import { getAuth } from 'firebase/auth';
const firebaseConfig = { /* your config */ };
const app = initializeApp(firebaseConfig);
const auth = getAuth(app);
// Export for reuse - don't create multiple instances
export { auth };For Admin SDK, download a fresh service account key from Firebase Console > Project Settings > Service Accounts > Generate New Private Key.
If using Admin SDK, token validation can fail if your server clock is out of sync. Verify and synchronize your server time:
# On Linux/Mac - check current time
date
# Sync time using NTP
sudo ntpdate -s time.nist.gov
# Or use timedatectl on systemd systems
timedatectl status
timedatectl set-ntp trueThis is especially critical for token-based authentication where expiry validation is time-sensitive.
Go to Firebase Console > Authentication > Sign-in method and ensure the providers you're using are enabled:
1. Navigate to your Firebase project console
2. Select Authentication from the left menu
3. Click the "Sign-in method" tab
4. Enable the sign-in providers you need (Email/Password, Google, Apple, Facebook, etc.)
5. For OAuth providers, ensure you've configured OAuth credentials in your provider's dashboard
6. For Apple Sign-In, verify that Team ID and Bundle ID are correctly set
If you're using Admin SDK and suspect your key is compromised or expired:
1. Go to Firebase Console > Project Settings > Service Accounts
2. Select your app and click "Generate New Private Key"
3. Download the new JSON key file
4. Update your application to use the new key:
const admin = require('firebase-admin');
// Use the new service account key
const serviceAccount = require('./new-service-account-key.json');
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
databaseURL: 'https://your-project.firebaseio.com'
});Keep your service account keys secure and never commit them to version control.
If a user's credential has expired, prompt them to re-authenticate:
import { reauthenticateWithCredential } from 'firebase/auth';
// For email/password
const credential = EmailAuthProvider.credential(email, password);
try {
await reauthenticateWithCredential(user, credential);
console.log('User re-authenticated successfully');
} catch (error) {
if (error.code === 'auth/invalid-credential') {
// Credential is invalid - user needs to sign in again
console.error('Invalid credential. Please sign in again.');
}
}This is particularly important for sensitive operations like changing passwords or email addresses.
Platform-specific considerations: For iOS/Flutter, ensure GoogleService-Info.plist is included and bundle identifiers match Firebase config. For Android, verify your SHA fingerprints in Firebase Console match your signed APK. For web frameworks like Next.js, initialize Firebase once at the module level, not inside components, to prevent multiple instances during server-side rendering. When using credential linking, be aware that anonymous credentials cannot be linked to credentials from accounts that already exist - check if the account exists before attempting to link. The auth/invalid-login-credentials error (used with email enumeration protection) is distinct from auth/invalid-credential and indicates a login attempt with wrong password rather than a malformed credential object.
Callable Functions: INTERNAL - Unhandled exception
How to fix "Callable Functions: INTERNAL - Unhandled exception" in Firebase
auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options
How to fix "auth/invalid-hash-algorithm: Hash algorithm doesn't match supported options" in Firebase
Hosting: CORS configuration not set up properly
How to fix CORS configuration in Firebase Hosting
auth/reserved-claims: Custom claims use reserved OIDC claim names
How to fix "reserved claims" error when setting custom claims in Firebase
Callable Functions: UNAUTHENTICATED - Invalid credentials
How to fix "UNAUTHENTICATED - Invalid credentials" in Firebase Callable Functions